Re: The Blue Pill of Threat Intelligence

[Zack <zpayton () gmail com>]

Let me start with the statement that I have mad love for Dave.  While I loved the article Dave and mostly agree with 
you, I wanted to note a few things.  To be completely fair, your article was written by someone selling something that 
competes for budget dollars with av products and this email post is written by someone who consumes consumes data feeds 
from an array of 'sensors' whether those sensors are vuln reports written by offensive security teams, AV logs, or 
threat intelligence feeds from various groups (IRC channels of actors / private TAXI exchanges).  

In your article you state that threat intel is sold on a per host basis and requires an agent.  While this is true in 
some cases (I'm looking at you carbon black / bit9), I really see them more as an agent that sources indicators 
aggregated from private and public sources.  The point, dear reader, is don't misconstrue threat intel from products.  
Threat intel is a data stream (though the feed itself can be a product) of information valuable to your Situational 
Awareness.  If some vendor wants to include the automata that acts on that data stream well that's another fucking 
product.

Ultimately, data relevant to your environment is valuable and as Dave hinted at, some of the best threat intelligence 
comes from your own data sources: DNS queries, process hashes, netflow data, authentication/authorization audit logs, 
proxy logs.  Those are all high value threat feeds because they 100% apply to you.  Threat intel coming from external 
parties can be valuable as well but is more noisy: how many of those 100,000,000 known C2 domains are you really gonna 
see on your network?

No data stream is gonna be complete and correlating multiple streams together based on what's available and valuable to 
your environment is key.   Personally I find that modeling your normal usage patterns and alerting based on anomaly to 
be less noisy but I also find value in lists of known bad domains / ip / whatever.

In the end, using these feeds to ply your SA impacts judgment (automated or manual) and everything else in your 
ecosystem is just a data stream you use to augment your perception.  I advocate mastering your least noisy streams 
first and try to see each intel feed / data stream as just another input.  The value of data streams coming from AV is 
rapidly diminishing if not already so noisy as to be useless.

I saw a talk in Vegas about measuring the IQ of your threat feeds and while the talk wasn't that groundbreaking it did 
leave some interesting food for thought: mainly diffing various intel feeds to get a fuzzy feeling of unique content.  
Running through the mental exercise I realized that your internal data feeds are going to have a lot more unique 
content that is directly applicable to you meanwhile more than 99% of data from most external sources were never 
applicable.

Z

> On Oct 15, 2014, at 8:59 AM, Dave Aitel <dave () immunityinc com> wrote:
>
> http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
>
> In this article I go over "Threat Intelligence". And I'm a little hard
> on it because I think it has to make a choice, and soon. In one hand, is
> a pill that takes it down the road to AV-like financial success, but
> strategic failure. And in the other hand, the current models are only
> stepping stones towards offerings that provide true strategic
> situational awareness to their clients, so their clients can build
> customized incident response programs that really work.
>
> Honestly, I think because of the way VC-funded firms work, we may end up
> taking the blue pill, which is unfortunately for companies, but good for
> those of us doing offense.
>
> -dave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave